| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef NET_BASE_SERVER_BOUND_CERT_SERVICE_H_ | |
| 6 #define NET_BASE_SERVER_BOUND_CERT_SERVICE_H_ | |
| 7 | |
| 8 #include <map> | |
| 9 #include <string> | |
| 10 #include <vector> | |
| 11 | |
| 12 #include "base/basictypes.h" | |
| 13 #include "base/memory/scoped_ptr.h" | |
| 14 #include "base/memory/weak_ptr.h" | |
| 15 #include "base/threading/non_thread_safe.h" | |
| 16 #include "base/time.h" | |
| 17 #include "net/base/completion_callback.h" | |
| 18 #include "net/base/net_export.h" | |
| 19 #include "net/base/server_bound_cert_store.h" | |
| 20 #include "net/base/ssl_client_cert_type.h" | |
| 21 | |
| 22 namespace base { | |
| 23 class TaskRunner; | |
| 24 } | |
| 25 | |
| 26 namespace net { | |
| 27 | |
| 28 class ServerBoundCertServiceJob; | |
| 29 class ServerBoundCertServiceRequest; | |
| 30 class ServerBoundCertServiceWorker; | |
| 31 | |
| 32 // A class for creating and fetching server bound certs. | |
| 33 // Inherits from NonThreadSafe in order to use the function | |
| 34 // |CalledOnValidThread|. | |
| 35 class NET_EXPORT ServerBoundCertService | |
| 36 : NON_EXPORTED_BASE(public base::NonThreadSafe) { | |
| 37 public: | |
| 38 class NET_EXPORT RequestHandle { | |
| 39 public: | |
| 40 RequestHandle(); | |
| 41 ~RequestHandle(); | |
| 42 | |
| 43 // Cancel the request. Does nothing if the request finished or was already | |
| 44 // cancelled. | |
| 45 void Cancel(); | |
| 46 | |
| 47 bool is_active() const { return request_ != NULL; } | |
| 48 | |
| 49 private: | |
| 50 friend class ServerBoundCertService; | |
| 51 | |
| 52 void RequestStarted(ServerBoundCertService* service, | |
| 53 ServerBoundCertServiceRequest* request, | |
| 54 const CompletionCallback& callback); | |
| 55 | |
| 56 void OnRequestComplete(int result); | |
| 57 | |
| 58 ServerBoundCertService* service_; | |
| 59 ServerBoundCertServiceRequest* request_; | |
| 60 CompletionCallback callback_; | |
| 61 }; | |
| 62 | |
| 63 // Password used on EncryptedPrivateKeyInfo data stored in EC private_key | |
| 64 // values. (This is not used to provide any security, but to workaround NSS | |
| 65 // being unable to import unencrypted PrivateKeyInfo for EC keys.) | |
| 66 static const char kEPKIPassword[]; | |
| 67 | |
| 68 // This object owns |server_bound_cert_store|. |task_runner| will | |
| 69 // be used to post certificate generation worker tasks. The tasks are | |
| 70 // safe for use with WorkerPool and SequencedWorkerPool::CONTINUE_ON_SHUTDOWN. | |
| 71 ServerBoundCertService( | |
| 72 ServerBoundCertStore* server_bound_cert_store, | |
| 73 const scoped_refptr<base::TaskRunner>& task_runner); | |
| 74 | |
| 75 ~ServerBoundCertService(); | |
| 76 | |
| 77 // Returns the domain to be used for |host|. The domain is the | |
| 78 // "registry controlled domain", or the "ETLD + 1" where one exists, or | |
| 79 // the origin otherwise. | |
| 80 static std::string GetDomainForHost(const std::string& host); | |
| 81 | |
| 82 // Tests whether the system time is within the supported range for | |
| 83 // certificate generation. This value is cached when ServerBoundCertService | |
| 84 // is created, so if the system time is changed by a huge amount, this may no | |
| 85 // longer hold. | |
| 86 bool IsSystemTimeValid() const { return is_system_time_valid_; } | |
| 87 | |
| 88 // Fetches the domain bound cert for the specified origin of the specified | |
| 89 // type if one exists and creates one otherwise. Returns OK if successful or | |
| 90 // an error code upon failure. | |
| 91 // | |
| 92 // |requested_types| is a list of the TLS ClientCertificateTypes the site will | |
| 93 // accept, ordered from most preferred to least preferred. Types we don't | |
| 94 // support will be ignored. See ssl_client_cert_type.h. | |
| 95 // | |
| 96 // On successful completion, |private_key| stores a DER-encoded | |
| 97 // PrivateKeyInfo struct, and |cert| stores a DER-encoded certificate, and | |
| 98 // |type| specifies the type of certificate that was returned. | |
| 99 // | |
| 100 // |callback| must not be null. ERR_IO_PENDING is returned if the operation | |
| 101 // could not be completed immediately, in which case the result code will | |
| 102 // be passed to the callback when available. | |
| 103 // | |
| 104 // |*out_req| will be initialized with a handle to the async request. This | |
| 105 // RequestHandle object must be cancelled or destroyed before the | |
| 106 // ServerBoundCertService is destroyed. | |
| 107 int GetDomainBoundCert( | |
| 108 const std::string& origin, | |
| 109 const std::vector<uint8>& requested_types, | |
| 110 SSLClientCertType* type, | |
| 111 std::string* private_key, | |
| 112 std::string* cert, | |
| 113 const CompletionCallback& callback, | |
| 114 RequestHandle* out_req); | |
| 115 | |
| 116 // Returns the backing ServerBoundCertStore. | |
| 117 ServerBoundCertStore* GetCertStore(); | |
| 118 | |
| 119 // Public only for unit testing. | |
| 120 int cert_count(); | |
| 121 uint64 requests() const { return requests_; } | |
| 122 uint64 cert_store_hits() const { return cert_store_hits_; } | |
| 123 uint64 inflight_joins() const { return inflight_joins_; } | |
| 124 | |
| 125 private: | |
| 126 // Cancels the specified request. |req| is the handle stored by | |
| 127 // GetDomainBoundCert(). After a request is canceled, its completion | |
| 128 // callback will not be called. | |
| 129 void CancelRequest(ServerBoundCertServiceRequest* req); | |
| 130 | |
| 131 void GotServerBoundCert(const std::string& server_identifier, | |
| 132 SSLClientCertType type, | |
| 133 base::Time expiration_time, | |
| 134 const std::string& key, | |
| 135 const std::string& cert); | |
| 136 void GeneratedServerBoundCert( | |
| 137 const std::string& server_identifier, | |
| 138 int error, | |
| 139 scoped_ptr<ServerBoundCertStore::ServerBoundCert> cert); | |
| 140 void HandleResult(int error, | |
| 141 const std::string& server_identifier, | |
| 142 SSLClientCertType type, | |
| 143 const std::string& private_key, | |
| 144 const std::string& cert); | |
| 145 | |
| 146 scoped_ptr<ServerBoundCertStore> server_bound_cert_store_; | |
| 147 scoped_refptr<base::TaskRunner> task_runner_; | |
| 148 | |
| 149 // inflight_ maps from a server to an active generation which is taking | |
| 150 // place. | |
| 151 std::map<std::string, ServerBoundCertServiceJob*> inflight_; | |
| 152 base::WeakPtrFactory<ServerBoundCertService> weak_ptr_factory_; | |
| 153 | |
| 154 uint64 requests_; | |
| 155 uint64 cert_store_hits_; | |
| 156 uint64 inflight_joins_; | |
| 157 | |
| 158 bool is_system_time_valid_; | |
| 159 | |
| 160 DISALLOW_COPY_AND_ASSIGN(ServerBoundCertService); | |
| 161 }; | |
| 162 | |
| 163 } // namespace net | |
| 164 | |
| 165 #endif // NET_BASE_SERVER_BOUND_CERT_SERVICE_H_ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12680003:
net: split net/ssl out of net/base (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src